EDR catches Emotet at MSP’s Healthcare Customer

The Network: A Managed Service Provider (MSP) installed EventTracker Essentials with EDR to mitigate threats on 900 endpoints at a Community Health network in North Eastern United States.

The Expectation: EventTracker managed Essentials services with endpoint threat detection and response capability would deliver end-to-end protection.

The Catch: The EventTracker SOC (Security Operations Center) observed an unsafe MD5 hash and network connection activity with a malicious IP address which was permitted by the installed (and up to date) Anti-Virus.

The Find: We detected a connection with a poor IP address reputation due to suspicious threat activity. The EventTracker SOC analyst used the advanced logic in EventTracker SIEM, and quickly discovered that Emotet malware was active in the customer’s environment. The analyst was able to trace the path of the attack as shown in the figure below:

The user launched MS Word on a Windows 10 desktop and was enticed into enabling macros. This caused two actions, the launch of an EXE in C:\ProgramData and a PowerShell command to be launched. The EXE in C:\ProgramData was intercepted by the Anti Virus program but the PowerShell command was allowed which dropped a file called 379.exe in the temp folder and a clone of this file called defineguids.exe under AppData\Local. Notice the MD5 hash of both 379.exe and defineguids.exe is the same. In addition defineguids.exe also contacted three public IP addresses which are known to be Command & Control (C&C) Emotet infections.

The original EXE defineguids.exe is Microsoft provided but this one is malware. The Anti-Virus signature definitions at the time of this attack allowed these EXEs but have since been updated so that this infection will now be blocked. Close but no cigar.

The Fix: The EventTracker SOC promptly alerted the MSP to the compromise. All identified malicious hashes and IP addresses were immediately moved to an unsafe list for process termination on the infected system.
As a part of the EventTracker threat intelligence distribution process, all indicators of compromise (IoC) and hashes were shared among the same business tenant to identify and thwart any present and future threats across all the MSP’s numerous clients.

The identified systems were taken off the network. Once the threats were mitigated, the systems were cleared and reconnected to the healthcare organization's network.

The Lesson: Traditional signature based Anti-Virus is easily defeated by the modern attacker. File less malware (in this case PowerShell based) is able to evade such defenses. EDR technology with application control is far more effective. The 24/7 SOC was quick and responsive in detecting the infection and providing actionable intelligence. The integrated SIEM and EDR capability was instrumental in detecting the other elements of the kill-chain.